Course or Module Title

Confidential – For Training Purposes

Only 1
Course or Module Title

This release of the MSA family firmware is not only to introduce new features and fix
issues, it is also to enhance the customer installation and configuration experience.
Often in reviewing customer issues we find that customers continue to experience
problems that have been previously resolved with firmware upgrades. We also find
that a skipped step during the initial installation can have detrimental effects later in
the system lifespan. To help in the customer experience and to try to avoid common
pitfalls in configuration we are now requiring a system settings walkthrough which we
call guided Configuration. The guided configuration will only present on new
installations.
This firmware release offers a couple of feature enhancements. We are pleased to
offer the ability to connect to a Microsoft Windows 2016 or 2012 R2 active directory
for user authentication. Also as an added feature is the I/O workload graph. The I/O
workload graph is an extension of the FLASH advisor program offered on the MSA
family. This workload graph can be used to give an overview of the MSA’s view of
data patterns over time.
The final feature enhancement is to improve the Random performance capabilities of
the MSA 1050.

Confidential – For Training Purposes Only 2

Course or Module Title

First we will walk through the guided configuration and the required visits

Confidential – For Training Purposes Only 3

Course or Module Title

For factory new HPE MSA 1050 and MSA 2050/2052 systems the user will be initially
taken to a new WELCOME screen presented in the HOME topic. The customer will be
guided, with required visits, through the best practices while setting up their Storage
System for the first time. Once all “required” visits are completed the customer can
click a link to bring up the familiar home page for the MSA family v3 System
Management Utility. The bolded and asterisks bulleted items on this page are
“Required”: Firmware Upgrade, User Management, Installing Licenses, setting Alert
Notifications and on some systems adjusting Port Settings.

Confidential – For Training Purposes Only 4

Course or Module Title

This is the Welcome page. Until all the required visits are complete every time you
click on the HOME Topic on the left side of the screen you will be presented with this
Welcome.
This page also presents the system current health state, if the system health is
degraded (for example if a power supply was not connected to a power source) there
will be a link to take you to the SYSTEM Topic where the customer can view and
resolve any degraded elements. This system’s health is GOOD.
The first required visit is to go to the Upgrade Firmware page.

Confidential – For Training Purposes Only 5

Course or Module Title

After clicking the UPGRADE FIRMWARE button on the welcome screen this is the
panel shown.
The easiest way to avoid encountering issues which have been previously found and
resolved is to stay current on the latest available firmware releases.
The first thing to point out on this panel is the circled GREEN active link at the top. As
sometimes finding the current firmware releases has not been the easiest process,
our support team has generated a web page specific for the MSA family of arrays
which clearly states the current revision of firmware for the controllers and for the
expansion enclosures. There are also links on the page to aid in determining the
current release of firmware for the Disk Drives.
The user can click through the tabs for Controller Modules, Expansion modules and
Disk Drives to determine the current versions on the system and compare those to
the versions listed on the linked site. If an upgrade is required the firmware can be
downloaded, with entitlement, directly from the linked site.
If your system is up to the current versions of firmware, then there are no actions
required on this panel. Simply click the close button to return to the Welcome screen.
The final setting on this panel is the Partner Firmware Update (PFU) setting. PFU is a
Best Practice to be enabled on the MSA 1050 and MSA 2050/2052 systems. This
setting will keep both controllers at the same firmware level to keep consistency of

Confidential – For Training Purposes Only 6

features and user experience. PFU will run a “Burn to Active” which means that if
controllers are at different firmware versions, the controller which was running in the
system will be the firmware version that the system will resolve to. This may be a
firmware downgrade for the new controller.
This same page will be available anytime the user clicks to upgrade firmware.

6
Course or Module Title

We have closed the Upgrade Firmware panel and are back to the Welcome ‘HOME’
topic.
Notice that the Upgrade Firmware Required Visit is now complete, allowing us to
move on to the system settings.
You can also see in this screen that the SYSTEM HEALTH is degraded. That was done
intentionally to demonstrate the button to verify the system health. The ALERT
message on the page states the Best Practice of solving any degraded issues before
proceeding in configuration. The degraded condition is resolved before we move on
to the system settings.

Confidential – For Training Purposes Only 7

Course or Module Title

This is the new view of all system settings. This same panel will appear whenever the
customer goes to adjust any of the system settings. We believe that by having all the
system settings appear when any one is configured that it will serve as a reminder to
check other system settings. For example if the customer goes in to change the Time
Zone Offset to align to a time zone shift, they will also see the notifications and think
that they may want to add the new SNMP trap destination that was added to their
infrastructure.
As we have not completed the Guided Configuration, you will see some Required
Visits on this page. Flagged by the ‘*’. Each of these sections must be visited and
completed before the customer has the ability to view the standard HOME topic
screen.
This panel can be configured like a wizard where settings can be set on each topic and
then applied in one click at the end but the best practice would be to apply each
panel as you complete them and before moving on to the next system setting.
On this panel we see the settings for the date and time. Date and time can be
entered manually or can be set to a NTP source.
Next is the Manage Users topic

Confidential – For Training Purposes Only 8

Course or Module Title

On this panel we see the settings for User Management.

There are 2 Sub-Tabs on this Panel: Local Users and LDAP Users. We will go into
more detail of the LDAP user configuration a little later.
The statement at the top of the panel is directing users toward the best practice of
changing all the default user passwords. To change the password for a user, you must
first select the user then set the password and confirm the password, then click
Apply. Once that is complete the asterisk on that user will be removed. The user can
also create new local users from this page. It is permitted to delete the default users
but you can not delete the last ‘manage’ user from the system. Please review the
HPE MSA System Management Utility Reference Guide for the available settings for
each user.
Applying each user password change and then moving to the next System Setting:
Install License

Confidential – For Training Purposes Only 9

Course or Module Title

The first thing to note on this panel is the ‘Check Mark’ next to the MANAGE USERs
setting, and that the ‘*’ is gone. This is the indication that all the required actions
have been completed under Manage Users. If you close and re-open the system
settings panel you will no longer see the ‘*’ next to Manage Users, you will also not
see the check mark. The check mark is only viewable while the system settings panel
is open after having completed the action.
This required visit to the Install License system setting is to help improve the
customer experience in finding the information for installing a license, specifically the
licensing serial number which is required to retrieve a license from the HPE licensing
portal. For customers who have already purchased the Advanced Data Services (ADS)
license this should also help to avoid configuration blocks of using both spinning hard
drives and solid state drives in their storage pools on the MSA.
At the top of this page is an ‘acknowledgement’ checkbox which will complete the
required visit without the need to install a license. The customer does not need to
buy a license just to complete the required visit. But if they have purchased the ADS
license, they can use the license serial number shown on this panel to retrieve the
ADS license through the licensing website. They can then install the license directly
here which will also complete the required visit.
I will click the Acknowledge checkbox and move to the next System Setting: Network

Confidential – For Training Purposes Only 10

Course or Module Title

Again the check mark is shown for the completed required visits.
On this panel we can set the Management IP addressing mode and IP settings.
Please see the HPE MSA System Management Utility Reference Guide for details on
setting the management IP addresses.
Next System Setting: Services

Confidential – For Training Purposes Only 11

Course or Module Title

The Services panel will allow the customer to configure the protocols and services
that will be able to manage the system. By default only the secure protocols have
been enabled. If LDAP authentication is enabled then ONLY secure protocols can be
enabled. This is to avoid sending a user’s credentials over an un-encrypted protocol.
For example an FTP or Telnet session will send username and password over the
network in plain text.
Next System Setting: System Information

Confidential – For Training Purposes Only 12

Course or Module Title

The System Information panel allows the customer to set information about the HPE
MSA. This information is purely to help identify the MSA. It can be used to help
identify the MSA through SNMP or in the logs. The System Name also appears on the
BANNER of the System Management Utility.
Next System Setting: Notifications

Confidential – For Training Purposes Only 13

Course or Module Title

The Notifications panel is another required visit. The customer can opt-out of setting
any notifications with the checkbox at the top the page but this should be
discouraged. In review of customer issues we have seen some unfortunate cases
where customers have not been aware that their HPE MSA has become degraded and
have run the system until multiple conditions exist which impact host I/O and data
integrity. In requiring a visit to the notifications page we hope to limit the number of
customers who fail to let the Storage System notify them of degraded conditions.
There are three notification protocols which can be configured on this panel: SMTP
or Email, SNMP, and SYSLOG. Configuring any one of the protocols will complete the
required action for Notifications.

Confidential – For Training Purposes Only 14

Course or Module Title

Here is the lower portion of the Email alerts settings. The top portion on the
previous slide showed the Email server settings which were required. Here we see
the full section of setting the alert level and the email destinations.
The next section is the Health Alerts, this feature has been available in previous
firmware versions but we want to highlight it again. The Health Alerts are a weekly
email from your system which will remind you if the system is degraded, or will let
you know that the current health is ok. The lack of receiving a weekly email is also an
indication that the MSA requires attention.

Finally there is a test button to validate that all settings are correct and that email
alerts can be received correctly

Confidential – For Training Purposes Only 15

Course or Module Title

Here we show the SNMP settings. This includes the notification level, the trap
destination IP addresses, and the READ and WRITE community strings. And finally
the test button to send a test SNMP trap to validate settings are correct.

Confidential – For Training Purposes Only 16

Course or Module Title

The third notification protocol which can be used is Syslog and here are the settings.
This includes the notification level, the syslog server IP addresses, and syslog
protocol port. And finally the test button to send a test Syslog event to validate
settings are correct.

Confidential – For Training Purposes Only 17

Course or Module Title

The last tab within the Notifications topic is Managed Logs. The settings here are the
email destination, whether to include logs and finally the test button. Email
notifications must be configured for Managed logs to function.
Managed Logs is a notification that the internal array logs are nearing a full state and
that the oldest sections will be overwritten. The alerts received can either prompt the
customer to gather a set of logs from the array – the ‘Pull method’ or will attach the
log portion that will be overwritten to the notification email – the ‘Push method’.
When an issue occurs on the MSA the logs are used to look back on when the issue
started occurring and also review the details of what was happening. Having all the
logs is of great value to the support organization in gathering information and
bringing the customer back online in a timely manner.

For all of the notifications, please review the HPE Storage Management Utility
Reference Guide for the details on the settings.

Next System Setting: Ports

Confidential – For Training Purposes Only 18

Course or Module Title

The Ports panel does not appear on all MSA systems, namely the MSA 2050/2052 SAS
systems. That is because there are no port parameters to configure on these
systems.
Again the customer can opt-out of making any configuration changes to the Host
Protocol ports, or the customer can configure all details of a port.
For fibre channel ports the defaults are typical and recommended. For iSCSI, the IP
addresses need to be configured manually in order to allow host connectivity. iSCSI
ports can be configured either using IPv4 or IPv6. Configuring for IPv6 and other iSCSI
settings: CHAP, Jumbo Frames and iSNS settings are available on the ‘Advanced
Settings’ tab.
For SAN controllers the host ports can be configured in 3 different states: FC, iSCSI, or
FC-and-iSCSI. Within the MSA QuickSpecs is a table detailing all the options for host
port protocol. The host port mode setting had previously been a CLI only option, it’s
now here under “Set Host Port Mode” in a required visit to create a better customer
experience.
Please see the HPE Storage Management Utility Reference Guide for more
information on Port settings and overall system settings.

Confidential – For Training Purposes Only 19

Course or Module Title

Here are the advanced port settings. For more information on the advanced settings
for iSCSI see the HPE MSA System Management Utility Reference Guide.

Confidential – For Training Purposes Only 20

Course or Module Title

Confidential – For Training Purposes Only 21

Course or Module Title

With the firmware upgrade to VE270 or VL270 the customers now have a new feature
that will give them the option to authenticate users with an existing Windows Active
Directory running on Windows 2016 or Windows 2012 R2. Other implementations of
LDAP servers have not been tested or qualified.
To configure LDAP there are a number of parameters of the Active directory
infrastructure and schema which need to be configured. These include the IP
addresses of a primary and alternate server to use for authentication, the port to be
used, and the User Search Base for the user’s domain.
The User Groups on the MSA are what provide access or deny access. These will need
to be named EXACTLY as the Active Directory group that is created or used. A new
MSA management role, called STANDARD, has been created to allow authenticated
LDAP users to manage the MSA but not allow operations which could impede
traceability.
Which brings us to the final part of the LDAP integration, traceability and the Audit
Log. This is where all management interaction including login, failed logins, settings
changes and provisioning changes are tracked. Each controller will maintain an
individual Audit log of a maximum size of 2MB. The Audit log can be reviewed in the
CLI only. Both the CLI on the A controller and the B controller will need to be accessed
to see ALL management interactions on the system as each controller will only show

Confidential – For Training Purposes Only 22

their own management interactions.

22
Course or Module Title

Here is the view of the LDAP configuration in the System Management Utility. To
complete this page you will need to know details about the Active Directory servers.
On this page you can see we have entered server IP addresses for both a primary and
alternate Active Directory server. We have accepted the default Port of 636, a secure
port. And we have set the User Search Base to “OU=Users,DC=BigCo,DC=com”. This
would start the search in the Organizational Unit “Users” in the BigCo.com domain.
Active Directories can be very large, containing hundreds of thousands of users,
groups, computers and other objects. In order to speed the operation of finding a
user in the directory, the customer will provide a starting point inside the Active
Directory hierarchy to narrow the focus. That is done with the User Search Base. In a
typical Active Directory user accounts will be contained in an Organization Unit
structure hierarchy.

Also on this page we have added 3 User groups: MSA-Admins, MSA-Manage, MSA-
Monitor These groups must be separately created within the Active Directory and
users must be made members of the groups.
The difference in the groups shown is the ROLES which have been assigned. MSA-
Manage has the familiar ‘manage’ role, allowed to fully manage the array. MSA-
Monitor has the ‘monitor’ role and is only allowed to view the configuration. The

Confidential – For Training Purposes Only 23

MSA-Admins group has the new ‘standard’ role, this role will allow the capabilities of
the manage role except for user management, write operations performed through
FTP or SFTP and file uploads from WBI and restore defaults command. These same
roles can be applied to local users and LDAP users.
The preferences are the same preferences that exist for local users. Setting these will
change how the management interfaces present information. For example: Base 2 vs
Base 10 for capacity sizes, Celsius vs farenheit for temperature readings. More
information on the preferences is available in the HPE MSA System Management
Utility Reference Guide.

23
Course or Module Title

The MSA does not retain any Active Directory credentials to query the LDAP server, it
relies on the credentials supplied during login to contact the Active Directory and
return the information required. The supplied credentials will be compared to Local
users first, then to the primary Active Directory server and finally to the alternate
Active Directory server.

The supplied credentials are used to authenticate into the Active Directory and query
for the user’s group membership. Only the first 100 groups are returned.

The MSA then compares the user groups NAMES returned with the User Group
NAMES created on the MSA. The user will then get the permissions of the first group
name which matches. If a user is a member of more than one MSA user group with
different roles then the permissions may change each time the user logs into the
MSA.

Users should be allowed to logon to the Active Directory, should not be a member of
more than 100 groups and should only be a member of one group which also is a
User Group on the MSA.

Confidential – For Training Purposes Only 24

This process allows the MSA to authenticate against Active Directory users without
the complexity of joining the domain.

24
Course or Module Title

The top of this screen shows a snippet of the audit log. There is all the information
about the attempted interaction encoded in each line. Starting with the…
Date and time of the attempted action
An internal ID
The process which was accessed: Here we have logins to both the SSH protocol and
the System Management Utility, along with a failed login from BigCo\Joe on SSH
The controller which was accessed
The user accessing and running commands

Confidential – For Training Purposes Only 25

Course or Module Title

Here we are just showing a command which is provisioning storage and a failed login,
which were also shown on the previous slide.
Going to the next part of the string returned take us to GID, the group ID. As these
commands were run with local users there are no groups
Next the session ID
The Action taken – addition of a disk-group and a login attempt
The Host IP – the system accessing the MSA management
The Subsystem
The Return Code
And finally a message if a return message is necessary

With this information the end user can trace what actions have been taken on the
array, when and by whom. This log is unique per controller and has a maximum size
of 2MB. Depending on management usage the time covered in the audit log will
differ.

Confidential – For Training Purposes Only 26

Course or Module Title

Next we will look at the new I/O workload feature

Confidential – For Training Purposes Only 27

Course or Module Title

Access to the I/O Workloads is available in the main view footer and is therefore
accessible from any Topic. The I/O Workload is circled on this slide. We will go
through the details on what information is included in the I/O Workload in the next
couple of slides.

Confidential – For Training Purposes Only 28

Course or Module Title

The I/O workload graphs are a benefit with the move to Virtualized storage on the
MSA family. With virtual storage, the MSA is allocating host LBA requests into 4MB
pages. Each access to a page is tracked so that the tiering algorithm can move pages
to the correct tier. This process happens even if there is only a single tier. Using this
access information the MSA can determine which pages are being accessed and how
many times. Putting all that data together into a graph and displaying would be
disruptive to normal I/O processing, so the MSA logically divides the available POOL
capacity into 1000 equal ‘buckets’ of capacity, the example here is a Pool of 20TB so
each bucket would be 20GB and contain 5000 4MB pages. The system will then add
up all 4MB page accesses and total them for the ‘bucket’. Looking at all the buckets
will result in the graph.
The I/O Workload graph is an extension of the Flash Advisor program and could be an
indicator of the value of the SSD capacity currently configured in the MSA or an
indicator that SSD flash capacity increase would help overall performance.

Confidential – For Training Purposes Only 29

Course or Module Title

The shown 2 graphs are from the same system, controller A and controller B. They
are running roughly the same bench test workload.
There are 3 graphed lines, 100% of the workload, 80% of the workload and 50% of
the workload.
100% of the workload is the aggregation of all the ‘buckets’ which have had I/O
accesses. Not shown is that these Pools are >10TB each. The points for the 100%
line are showing that of the 10+TB of usable capacity, only 600GB are being accessed
each day. If you move to the 80% line, the data accesses are even more localized and
80% of the access to the 10+TB of capacity are occurring on less that 200GB of data.
The 50% line shows even more localized.
The first graph is indicating that 80% of the I/Os to that pool could have been found in
the SSD capacity. Remember “could”. Each workload will be different and unique
workloads could also have almost all of the I/Os landing in new pages which have not
yet been moved to an SSD tier.
The second graph is indicating that: IF the customer is looking for more performance
or lower latency, THEN a small investment in 200GB of SSD capacity could help
performance and latency with 80% of the daily I/Os.
Just to repeat, each workload will be different and where this graph may seem to
very clearly show how much SSD capacity will help, knowledge of the workload from

Confidential – For Training Purposes Only 30

the host side is vital to making the right decision about SSD capacity. Also be aware
that as storage is reconfigured, the workload could change and what seemed to be
the right SSD capacity before is now too small or too large.

30
Course or Module Title

The last topic in this training is the performance improvements with the VE270
firmware for the MSA 1050 systems

Confidential – For Training Purposes Only 31

Course or Module Title

With the VE270 firmware release we have adjusted the hardware settings for the
controller to enable higher performance. The higher performance is capable in the
controller but still requires a disk configuration which is also capable of the higher
performance, in the case of Random READs and WRITEs SSDs will be required to
attain the maximum performance. There is no additional license or any user settings
to be applied, merely install the new firmware AND have a system capable of
providing performance on the backend. Customers should not expect to see a
change in performance if they have few drives and no SSDs.
This chart is showing the sequential throughput available with RAID 10 and RAID 6 on
the fibre channel MSA 1050 Controllers, for the most part there is only modest
performance gain.

Confidential – For Training Purposes Only 32

Course or Module Title

Now we are looking at the random performance. Again for the MSA 1050 Fibre
channel controller but all controllers will benefit from the changes similarly. Here we
can see some marked improvement. The performance improvement is typically
greater than 25% the final numbers will be posted in the MSA QuickSpecs.

Confidential – For Training Purposes Only 33

Course or Module Title

Here are some helpful links to the previous learnings on MSA 5th generation systems
and also links to the MSA firmware, documentation and the MSA technical Yammer
site.

Confidential – For Training Purposes Only 34

Course or Module Title

That is the end of this training presentation. Thank you for your attendance.

Confidential – For Training Purposes Only 35